Remote Desktop Services in Windows 2008 R2 – Part 2 – RD Gateway

Welcome to the second article in this series on Remote Desktop Services in Windows 2008 R2. We were first introduced to the Remote Desktop (RD) Gateway in the first release of Windows 2008 and as previously mentioned in part 1 of this series, the RD Gateway was formerly known as Terminal Server (TS) Gateway. TS Gateway opened up Remote Access barriers providing access to our Terminal Servers via SSL or port 443, as opposed to the conventional “legacy” VPN access through either IPSEC or L2TP. In Windows Server 2008 R2, not much has changed and in today’s article I will provide you with a step by step guide on configuring your RD Gateway which will provide your remote users access to the Remote Desktop Host or RD Web Access via any Internet connection utilising Remote Desktop Connection client over HTTPS. If you missed part 1 of this series which discussed the installation of your Remote Desktop Role and services, you can access it here.

There are a number of prerequisites that are required in order for the RD Gateway to function and these were all setup in part 1 of this series. For reference I have listed these below;

In the left navigation pane of your RD Gateway Manager MMC console, click on your server and select properties under Actions. We will now go through each tab under the server properties and make any necessary configuration changes. Let’s refer to this process as post wizard configuration.

Under the General Tab, we are provided with the ability to configure the maximum number of connections that are allowed to connect to this RD Gateway. If you are concerned with server performance, we can set a hard limit of allowed simultaneous connections. We can also disable new connections if we are performing scheduled maintenance on our server.

The next tab allows us to secure the RD Gateway by using an SSL certificate. We can create a self-signed certificate (recall that this was completed during the initial install wizard in part 1 of this series), select an existing certificate that is located on the server under Certificates / Personal store or Import a certificate that we have requested via a 3rd Party Certification Authority (CA) or utilising an internal CA. It is deemed best practice to utilise a 3rd party CA that participates in the Microsoft Root Certification Members Programme alleviating the headache that is usually involved in exporting the root certificate, distributing them to your end users and then providing them with instructions on how to import them into their local machines. Utilising a self-signed certificate is usually reserved for testing purposes only, and not in a production environment, however it will suffice in this step by step guide.

The third tab introduces the RD CAP Store and provides us with the ability to utilise our local server running Network Policy Server (NPS) or the ability to specify a central server that is already configured and running NPS. This was also initially configured during the installation wizard of our Remote Desktop Services role in part 1.

The next tab, Server Farm, allows us to specify farm members for the RD Gateway. As a minimum we need to Add this RD Gateway server below as follows. You do so by entering the fully qualified domain name of the server and clicking on Add. It will then add it below under Remote Desktop Gateway server farm status as per the below screen capture.

You will notice the above warning regarding the registry not being updated. This warning will disappear and the status will change to OK after clicking on Apply.

The next tab allows you to select or deselect events that you would wish to log. These corresponding events are stored in Event Viewer under Application and Services Logs\Microsoft\Windows\Terminal Services-Gateway\. By default, all items under the Auditing tab are selected to be captured and logged. The below screen capture is an example of the TerminalServices – Gateway Event Viewer on our Windows 2008 R2 server.

SSL bridging is next and is required to be configured if you are utilizing Microsoft ISA Server to further secure the RD Gateway. Microsoft ISA Server is a great application level firewall which offers reverse proxy and can be configured to work hand in hand in providing secure access over SSL.

The last tab in the RD Gateway properties is Messaging which was not present in Windows 2008 TS Gateway. This is a welcome addition for administrators to utilise when pre-planning for system maintenance and wanting to advise users with a global system notification, and the also providing the ability to set a logon message such as the company’s logon policy.

The first area within the Messaging tab is the ability to set a timed system message with the ability to set a start date/time and end date/time.

When a user logs in via the RD Gateway, they will be presented with the following message that we configured above;

The second area under messaging allows you to specify a message such as your company’s logon policy that will appear each time a user logs into the RD Gateway remote computer. This is simply a text file with the contents within.

The below similar notice is what will appear when logging on to your Remote Desktop Host via the RD Gateway

You will notice that the system will not continue to login (the OK button is dimmed) unless you accept the terms of this policy.

The last option allows you to specify that connections to the Remote Desktop Host via the RD Gateway will be restricted to clients that support RD Gateway messaging which is anything greater than Remote Desktop Client version 7.

Now prior to connecting to the RD Gateway and testing our setup, we will need to export the self-signed SSL certificate located on the RD Gateway and install it on our client computer that we will be connecting from. The easiest way to accomplish this is to open the Certificates MMC snap-in, locate the certificate from the Personal / Certificates store, and right click, All Tasks / Export.

This will invoke the below Certificate Export Wizard.

Click Next

Select Yes, export the private key.

Click Next.

Select, Include all certificates in the certificate path if possible

Click Next. Type and confirm a password and then click Next again.

Specify a name and location to export the pfx certificate file.

Click Next and then Finish.

We can now copy or email the exported certificate to our end users who will then install the certificate to their local personal store. This can be easily achieved by double clicking on the exported certificate and invoking the Certificate Import Wizard. Please ensure that when you come to the Certificate Store section of the Import Wizard that you select “Place all certificates in the following store” and select “Trusted Root Certification Authorities”.

Now that we have successfully imported the root self signed certificate authority, we can now test our setup and login to our remote computer via the RD Gateway. Before we begin, you need to ensure that you are running the latest Remote Desktop Connection client which is version 7. This version is already included with Windows 7 and is made available for download to Windows Vista SP1 and SP2 clients and to Windows XP SP3 clients. This can be downloaded from the Microsoft Support site; http://support.microsoft.com/kb/969084

The above article also provides you with a comprehensive list of new features and their explanations that are only possible with RDC 7 and Windows 2008 R2. I have listed these below for convenience;

Then click OK. Ensure that Bypass RD Gateway server for local addresses is deselected. Navigate back to the General Tab and enter the Computer and User name details and then click Connect when ready.

The following Windows Security popup will appear asking you to authenticate prior to launching a full remote desktop session.

After entering your credentials and clicking OK, You will be prompted to accept the login policy that we specified earlier under the Messaging tab of the RD Gateway properties.

So that’s it, we are now logged in to the Remote Desktop Host via the RD Gateway. We can confirm this by clicking on the spanner located on the top toolbar which will output the Remote Computer and Gateway Server that we are connected to. It also states that the connection to the remote computer was made using a Remote Desktop Gateway server.

That’s it for now. In our next and final article I will discuss Remote Desktop (RD) Web Access and the publishing of Remote Desktop Applications, so stay tuned.

I have successfully connected my Remote Desktop server (session host) following this article. It was in intranet. But failing to access it from intranet, considering the client machine is not a member of my domain. It is showing RD gateway address is not correct. can you please show me the way ?
Thanks and regards.